CVE-2026-24696 identifies a security weakness in the Everon api.everon.io WebSocket API, specifically a lack of restrictions on the number of authentication requests allowed. This vulnerability is classified under CWE-307, which relates to improper restriction of excessive authentication attempts. The WebSocket API accepts authentication requests without any rate limiting or throttling mechanisms, enabling attackers to flood the system with authentication attempts. This can lead to two primary attack vectors: denial-of-service (DoS) and brute-force attacks. In a DoS scenario, attackers can overwhelm the API with authentication requests, causing legitimate charger telemetry data to be suppressed or mis-routed, effectively disrupting the monitoring and management of electric vehicle charging infrastructure. Alternatively, attackers can use brute-force techniques to guess authentication credentials without limitation, increasing the risk of unauthorized access. The vulnerability affects all versions of the Everon api.everon.io product, indicating a systemic design flaw. The CVSS v3.1 score of 7.5 (high) reflects the network attack vector, low attack complexity, no privileges or user interaction required, and a significant impact on availability, though confidentiality and integrity remain unaffected. No patches or mitigations have been officially released at the time of publication, and no known exploits have been observed in the wild. The vulnerability was reserved and published in early 2026 by ICS-CERT, emphasizing its relevance to industrial control and critical infrastructure sectors.

The primary impact of this vulnerability is on the availability of the Everon api.everon.io service, which is critical for the telemetry and control of electric vehicle charging stations. A successful denial-of-service attack could disrupt the flow of telemetry data, leading to operational outages, inaccurate monitoring, and potential failures in charging infrastructure management. This disruption could affect electric vehicle users, charging station operators, and grid management entities relying on accurate and timely data. Additionally, the lack of rate limiting facilitates brute-force attacks that could lead to unauthorized access, potentially allowing attackers to manipulate charging sessions, cause financial losses, or gain footholds for further attacks. Given the increasing reliance on EV infrastructure globally, such disruptions could have cascading effects on energy distribution and transportation sectors. The absence of authentication or user interaction requirements lowers the barrier for exploitation, increasing the threat landscape. Organizations using Everon's API must consider the risk of service degradation and unauthorized access, which could undermine trust and operational continuity.

To mitigate this vulnerability, organizations should implement strict rate limiting on authentication requests at the WebSocket API layer to prevent excessive attempts from any single source. Deploying Web Application Firewalls (WAFs) or API gateways with built-in throttling and anomaly detection can help identify and block suspicious authentication floods. Monitoring authentication logs for unusual patterns, such as rapid repeated attempts from the same IP or user agent, is essential for early detection. Employing multi-factor authentication (MFA) where possible can reduce the risk of brute-force success. Network segmentation and limiting exposure of the api.everon.io endpoint to trusted networks or VPNs can reduce attack surface. Vendors should prioritize releasing patches or updates that enforce authentication attempt limits and improve logging and alerting capabilities. Additionally, organizations should conduct regular security assessments and penetration testing focused on authentication mechanisms. Incident response plans should include procedures for mitigating DoS attacks and unauthorized access attempts targeting this API. Finally, educating operational staff about the risks and signs of exploitation will enhance overall security posture.